Re: XP PCs suddenly not doing passthrough auth

From: Roger Abell [MVP] (mvpNOSPAM@asu.edu)
Date: 01/31/03


From: "Roger Abell [MVP]" <mvpNOSPAM@asu.edu>
Date: Fri, 31 Jan 2003 08:04:02 -0700


This info _may_ apply or give you ideas.
It seems that with XP SP1 the SMB signing was changed in
XP to be incompatible with W2k. Some 10 days back I dealt
with a gentleman who posted a very similar situation, but with
Cisco VPN hardware. At that time MS had a KB that detailed
the issue, offered a patch and a workaround. However, about
two days later the KB was offline and unavailable. So, you
may want to research SMB signing (w2k with xp sp1) in TechNet.
The workaround that article suggested was to go into group
policy and disable the SMB signing policies (there are 4, 2 for
client and 2 for server, 1 of each is always and 1 of each is
when possible). It detailed the default settings and did suggest
explicitly disabling them. But note - that KB went offline.
The gentleman of the Cisco post resolved his issue by using
client policy to disable the client ability to use alternate network
credentials. I had suggested he see if the client had configured
this to use invalid credentials, or if explicitly setting credentials
for the VPN connection would help. He came back with his
solution of disabling this feature entirely on the client.
Search TechNet for the most recent info along these lines
is the best I can suggest for you.

Good luck and let us know would you ?

--
Roger Abell
MS MVP (Security, Windows), MCDBA,  MCSE both
Associate Expert - Windows XP ExpertZone
http://www.microsoft.com/windowsxp/expertzone
"Philip Schlesinger" <pschlesinger@teltechplus.com> wrote in message
news:OBg3p9JyCHA.2584@TK2MSFTNGP11...
> Dear all,
>
> My CEO has at his home four PCs on a workgroup:
>
> One Windows XP Pro PC (P3 Xeon, 1GB RAM)
> Two identical Windows XP Home PCs (P4M, 256MB RAM)
> One Windows 2000 Pro PC (P3-733, 256MB RAM)
>
> At the location, he has a SonicWALL firewall (connected to cable Internet)
> that does box-to-box VPN to our corporate SonicWALL firewall (connected to
a
> T-1).
>
> Because the home network is a workgroup, we set his local login accounts
on
> the PCs to match his login on our W2K domain here at the corporate office.
> Upon logging in locally, he could get into anything (Exchange 2000 via
> Outlook, files, etc.) without any problem.
>
> Around the 6th of January, the CEO reported that the XP PCs were showing a
> strange error message when trying to log off or shut down their PCs (the
> Win2K PC was perfectly fine, though).  This strange error message had to
do
> with the HP OfficeJet G95 DCOM monitoring program not wanting to shut
itself
> down (first "Hpoavn07.exe" would need to be forced closed, then "Port
> hpoipm07.exe")
>
> On the 20th, my sysadmin quit and, by the looks of it, began trying to
steal
> our clients (I'd rather not get into that right now).  Given this
apparently
> untrustworthy action, we shut down all of the VPN security associations
and
> began building new keys for everybody.  When I finally got to the CEO's
> home, I changed those keys too.  Then we discovered a new, weird problem:
>
> The authentication info from XP PCs wouldn't pass through to the corporate
> domain - he'd be prompted by Exchange 2000 to log in when he opened
Outlook
> and he would need to log in when he tried to access files on the server.
> Meanwhile, the Win2K PC works just fine.
>
> Weird, huh?  I've fully patched the XP Pro PC via Windows Update.  I
> monitored the VPN TCP stats and ports 135-139 are talking whenever he
tries
> to get his email (we use both WINS and DNS servers for our local network).
>
> Ideas?  Thanks in advance for your help.
>
> - Phil
>
> Philip H. Schlesinger, MCSE, CCNA
> IT Manager
> Tel Tech Plus, Inc.
>
>


Relevant Pages

  • Re: XP PCs suddenly not doing passthrough auth
    ... found two documents on fixes for SMB signing on Windows XP: ... > client policy to disable the client ability to use alternate network ... >> My CEO has at his home four PCs on a workgroup: ...
    (microsoft.public.windowsxp.security_admin)
  • Re: VPN und normale Internetverbindung gleichzeitig
    ... gleichzeitig eine VPN und normale Internetverbindung zu betreiben, ... ich ja vom Client aus nur den VPN Server per Remotedesktop fernsteuern ... die anderen PCs die ich fernsteuern wollte 192.168.0.x sind. ... Jetzt ist der Client auch im 192.168.0er Netz und "sieht" auch die ...
    (microsoft.public.de.german.windowsxp.networking)
  • Re: Trouble joining PCs to Domain from Branch office through VPN (
    ... Symantec now includes the firewall app within the AV Client. ... The VPN is created using Cisco Pix 501's on each end. ... Can this prevent new PCs from joining the domain? ...
    (microsoft.public.backoffice.smallbiz2000)
  • [NEWS] Cisco VPN 5000 Client Multiple Vulnerabilities
    ... Multiple vulnerabilities exist in the Cisco Virtual Private Network (VPN) ... 5000 Client software. ... These vulnerabilities are documented as Cisco bug ID ... CSCdx17109 - MAC OS VPN 5000 Client password vulnerability ...
    (Securiteam)
  • Re: VPN clients unable to connect to other resources.
    ... gateway matches the IP of the remote client, and DNS and WINS point to the ... remote (although it takes close to a minute to connect, ... This is just regular Windows VPN, ... VPN server, remote routing and access running on the SBS 2003 server ...
    (microsoft.public.windows.server.sbs)